Analysis Overview
SHA256
996bac68adaff6b4cf092ebf62896de446faeb49f296215da3d04aef1c180b85
Threat Level: Shows suspicious behavior
The file a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 13:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 13:19
Reported
2024-06-03 13:21
Platform
win7-20240215-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe |
| PID 2208 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe |
| PID 2208 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe |
| PID 2208 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
"C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
Files
memory/2208-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2208-2-0x0000000000320000-0x0000000000326000-memory.dmp
\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
| MD5 | d65d18dcb5212491f9c78b96fd7492a5 |
| SHA1 | 0671a1697c9be00b6988c276bedeab3d4c250101 |
| SHA256 | 3f25fbd1e7b247fdc86fce0c14cadddec3ef7319606ab12ba1b1b24dfea5e8aa |
| SHA512 | ea2049a3508d1e8f9afd994eac0b96756f38bc64aebde8b2e2f6c0f35876c988f4397fae099a6b9f2ab1a3b7227b2c4bfb074fa7223db41e1af21540e4c0cf86 |
memory/2208-8-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2256-10-0x00000000002D0000-0x00000000002D6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 13:19
Reported
2024-06-03 13:22
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
162s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3848 wrote to memory of 4968 | N/A | C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe |
| PID 3848 wrote to memory of 4968 | N/A | C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe |
| PID 3848 wrote to memory of 4968 | N/A | C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a4c2690b4dd8f9cac118d02f119a4ce0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
"C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.180.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
| US | 8.8.8.8:53 | actorsneedwebsites.com | udp |
Files
memory/3848-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3848-2-0x0000000002320000-0x0000000002326000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
| MD5 | d65d18dcb5212491f9c78b96fd7492a5 |
| SHA1 | 0671a1697c9be00b6988c276bedeab3d4c250101 |
| SHA256 | 3f25fbd1e7b247fdc86fce0c14cadddec3ef7319606ab12ba1b1b24dfea5e8aa |
| SHA512 | ea2049a3508d1e8f9afd994eac0b96756f38bc64aebde8b2e2f6c0f35876c988f4397fae099a6b9f2ab1a3b7227b2c4bfb074fa7223db41e1af21540e4c0cf86 |
memory/4968-10-0x0000000000670000-0x0000000000676000-memory.dmp
memory/3848-11-0x0000000000400000-0x000000000040A000-memory.dmp